feat(plugins): validate user access for scaffold

sadarunnisa-sf commented 1 month ago

Restrict Repository Creation and Removal in Backstage to SF GitHub Users and Project Administrators

ARC-149

Description

Currently, anyone can create repositories in Backstage, which leads to several issues. To resolve this issue, implemented solution as below. Created github team in Sourcefuse organization. We can configure the team name by env var and SSM parameter. Users with admin and member role from this team can scaffold the template and eventually repo would be created. Other users would be able to view template list but won't be able to scaffold. Made required changes in terraform code to add environment variables Created custom backend plugin which would take care of validating user access.

Fixes # (issue) https://github.com/sourcefuse/backstage/issues/149

Type of change

Please delete options that are not relevant.

[ ] Bug fix (non-breaking change which fixes an issue)
[X] New feature (non-breaking change which adds functionality)
[ ] Breaking change (fix or feature that would cause existing functionality to not work as expected)
[ ] Intermediate change (work in progress)

How Has This Been Tested?

Please describe the tests that you ran to verify your changes. Provide instructions so we can reproduce. Please also list any relevant details for your test configuration

[ ] Test A
[ ] Test B

Checklist:

[X] Performed a self-review of my own code
[X] npm test passes on your machine
[ ] New tests added or existing tests modified to cover all changes
[ ] Code conforms with the style guide
[ ] API Documentation in code was updated
[ ] Any dependent changes have been merged and published in downstream modules

github-actions[bot] commented 1 month ago

Terraform plan output for poc


Terraform used the selected providers to generate the following execution
plan. Resource actions are indicated with the following symbols:
  ~ update in-place

Terraform will perform the following actions:

  # module.backstage.aws_ecs_service.this will be updated in-place
  ~ resource "aws_ecs_service" "this" {
      ~ desired_count                      = 1 -> 2
        id                                 = "arn:aws:ecs:us-east-1:884360309640:service/arc-poc-cluster/arc-poc-cluster-backstage"
        name                               = "arc-poc-cluster-backstage"
        tags                               = {
            "Environment" = "poc"
            "MonoRepo"    = "False"
            "Name"        = "arc-poc-cluster-backstage"
            "Project"     = "arc"
        }
        # (15 unchanged attributes hidden)

        # (4 unchanged blocks hidden)
    }

Plan: 0 to add, 1 to change, 0 to destroy.

sonarcloud[bot] commented 1 month ago

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
No data about Coverage
0.0% Duplication on New Code

See analysis details on SonarCloud

github-actions[bot] commented 1 month ago

Terraform plan output for prod


Terraform used the selected providers to generate the following execution
plan. Resource actions are indicated with the following symbols:
  ~ update in-place
-/+ destroy and then create replacement

Terraform will perform the following actions:

  # module.backstage.aws_ecs_service.this will be updated in-place
  ~ resource "aws_ecs_service" "this" {
      ~ desired_count                      = 1 -> 2
        id                                 = "arn:aws:ecs:us-east-1:235465132804:service/arc-prod-cluster/arc-prod-cluster-backstage"
        name                               = "arc-prod-cluster-backstage"
        tags                               = {
            "Environment" = "prod"
            "MonoRepo"    = "False"
            "Name"        = "arc-prod-cluster-backstage"
            "Project"     = "arc"
        }
      ~ task_definition                    = "arn:aws:ecs:us-east-1:235465132804:task-definition/arc-prod-cluster-backstage:5" -> (known after apply)
        # (14 unchanged attributes hidden)

        # (4 unchanged blocks hidden)
    }

  # module.backstage.aws_ecs_task_definition.this must be replaced
-/+ resource "aws_ecs_task_definition" "this" {
      ~ arn                      = "arn:aws:ecs:us-east-1:235465132804:task-definition/arc-prod-cluster-backstage:5" -> (known after apply)
      ~ arn_without_revision     = "arn:aws:ecs:us-east-1:235465132804:task-definition/arc-prod-cluster-backstage" -> (known after apply)
      ~ container_definitions    = (sensitive value) # forces replacement
      ~ id                       = "arc-prod-cluster-backstage" -> (known after apply)
      ~ revision                 = 5 -> (known after apply)
        tags                     = {
            "Environment" = "prod"
            "MonoRepo"    = "False"
            "Name"        = "arc-prod-cluster-backstage"
            "Project"     = "arc"
        }
        # (8 unchanged attributes hidden)
    }

Plan: 1 to add, 1 to change, 1 to destroy.

sourcefuse / backstage